[TYPO3-core] RFC #15504: Description of TYPO3_CONF settings should allow HTML markup for readability
Ernesto Baschny [cron IT]
ernst at cron-it.de
Thu Aug 19 18:40:10 CEST 2010
David Bruchmann schrieb am 19.08.2010 18:14:
> ----- Ursprüngliche Nachricht -----
> Von: Ernesto Baschny [cron IT] <ernst at cron-it.de>
> Gesendet: Donnerstag, 19. August 2010 17:51:57
> An: typo3-team-core at lists.typo3.org
> CC:
> Betreff: Re: [TYPO3-core] RFC #15504: Description of TYPO3_CONF
> settings should allow HTML markup for readability
>
> Hi Ernesto,
>
>>>
>>> I didn't test it and you can correct me if I'm wrong:
>>>
>>> Is it possible to insert iframes or script-tags?
>>>
>>> If yes: is it a security-issue perhaps?
>>
>> Everything is possible. It is a security issue if some patch enters that
>> core that includes them. The whole config_default.php is not written by
>> anyone except the core developers. You'll have to trust us. ;)
>>
>>
>
> as long as it isn't possible to override the settings by (fake- or
> changed) Extensions I trust you without any doubts.
> But I propose to exclude some elements like iframes, script, flash and
> canvas perhaps to exclude those possibilities in general because as far
> as I know the settings can be changed from every extension or script
> without much knowhow.
> Hope you don't think I'm paranoid ;)
I think this is not needed, because only the t3lib/config_default.php
file is read as a text file by the install tool. No PHP processing is
done, and no code from extensions is included. It is read by:
t3lib_div::getUrl(PATH_t3lib.'config_default.php');
and then the comments extracted from it.
So as long as nobody is able to manipulate this file, we don't need to
do any paranoid checking with the HTML, we can just output it.
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list